[NCUC-DISCUSS] Draft comments on Misuse of Whois Study - timely
Dan Krimm
dan at musicunbound.com
Sat Jan 18 20:59:10 CET 2014
I don't have the time to read through the study, but given Amr's comments
below I feel comfortable relying on his judgment about the study, and the
results therefore suggest that we ought to support Kathy's comments.
So I will trust my trusted sources in this case and join in. +1
Dan
--
Any opinions expressed in this message are those of the author alone and do
not necessarily reflect any position of the author's employer.
At 4:31 PM +0100 1/18/14, Amr Elsadr wrote:
>Hi Bill and all,
>
>I have gone through the study as well as attended the webinar with the
>researchers who performed it and find that Kathy's comments are spot on.
>The statistical significance she (and the report) mention were found to be
>with a 95% confidence rate, which is the standard accepted confidence of
>an accurate study based on quantitative analysis.
>
>I am happy to endorse this statement and am grateful to Kathy for taking
>the time to draft it.
>
>Thanks Kathy.
>
>Amr
>
>On Jan 18, 2014, at 2:57 PM, William Drake
><<mailto:wjdrake at gmail.com>wjdrake at gmail.com> wrote:
>
>>Hi Folks
>>
>>As Kathy has indicated, the timeline on this is rather short, 11:59pm UTC
>>today, and she's asking that it be approved as a NCUC statement in the
>>(probably likely) event it can't be at the NCSG level in time. The
>>challenge here is that, per previous, we have not for some time had the
>>NCUC policy committee called for in our dated bylaws to approve
>>constituency-level statements. So the way we've done such things in
>>recent years is pretty much rough consensus after hearing from as many
>>folks as possible in the time frame-certainly elected (EC) or appointed
>>(NCSG PC) representatives, and regular members as well. Admittedly, this
>>is not quite a satisfactory approach given that NCUC is now much bigger
>>and more diverse when that model set it, but in lieu of a formal PC a
>>broader and virtual PC is what we have to work with at the moment.
>>
>>So, it'd be really helpful if we could hear back either way from
>>whoever's online and can get their head around this in the next few hours.
>>
>>Thanks
>>
>>Bill
>>
>>
>>On Jan 16, 2014, at 11:52 PM, Kathy Kleiman
>><<mailto:Kathy at kathykleiman.com>Kathy at kathykleiman.com> wrote:
>>
>>>Hi All,
>>>I need your help. There is an amazing study done by two researchers (a
>>>PhD and an almost-PhD) at Carnegie Melon University. They tested the
>>>hypothesis of whether "public access to WHOIS data leads to a measurable
>>>degree of misuse of certain kinds of gTLD domain name Registrant
>>>identity and contact information." They did both a descriptive study
>>>(surveys of law enforcement and privacy people, registrants and
>>>registrars) and an experimental study (registering domain names with no
>>>other traceable source and seeing how much spam, and unsolicited phone
>>>calls and emails they received).
>>>
>>>They found what we have been telling ICANN for years: "there is a
>>>statistically significant occurrence of WHOIS misue affecting
>>>Registrants' email addresses, postal addresses, and phone numbers,
>>>published in Whois."
>>>
>>>Great and let's tell them so! I've drafted some comments that not only
>>>support the findings (and review the great effort dedicated to the
>>>study), but also draw on abuse cases we have discussed and shared from
>>>the NCUC over many years, including political persecution, chilling
>>>effects, anti-competitive activity, and stalking.
>>>
>>>Since these are Reply Comments, it is traditional to not only share your
>>>own views, but comment on those of others. Our views are, in many way,
>>>close to those of ALAC on this issue. ALAC's comments note that the
>>>Study's results "align with individual experience of At-Large
>>>constituents" and also research ALAC has done. So the noncommercial and
>>>individual registrant groups are aligned on this issue - and that is key.
>>>
>>>Below and attached please find the draft comments. Please feel free to
>>>send me edits with Track Changes (if you use the attached file). To
>>>avoid a flood on the list, feel free to share small edits with me
>>>privately. Big edits and changes are probably up for discussion.
>>>DEADLINE: SATURDAY (but I am judging my son's debate team, so tomorrow
>>>if possible).
>>>
>>>Best and tx,
>>>Kathy
>>>
>>>[DRAFT] Comments of the Noncommercial Users Constituency of ICANN
>>>Study on Whois Misuse
>>>Due: January 18, 2014
>>>
>>>
>>>The Noncommercial Users Constituency of ICANN submits this document in
>>>response to the call for public comments on the Study on Whois
>>>Misuse posted on the ICANN website. We respectfully submit that this
>>>Study is a very important one for ICANN and for the GNSO policy work
>>>ahead.
>>>
>>>We note that the study seems thorough and professionally done. Its named
>>>researchers were Dr. Nicolas Christin and Nektarios Leontiadis. Dr.
>>>Christin received his PhD in Computer Science from the University of
>>>Virginia, and is an Assistant Research Professor of Electrical and
>>>Computer Engineering at Carnegie Mellon University. Nektarios
>>>Leontiadis is a PhD candidate at Carnegie Mellon University, in the
>>>department of Engineering and Public Policy, with research focused on
>>>the economic modeling of online crime. Both are affiliated with
>>>CMU's CyLab security lab.
>>>
>>>This study stayed close and tight to the Terms of Reference set out for
>>>it -- terms set and designed by members of the GNSO and approved by the
>>>GNSO Council.
>>>
>>>The key question of the study was: Does public access to WHOIS-published
>>>data lead to a measurable degree of misuse? The answer was an
>>>unequivocal yes:
>>>
>>>The main finding of the descriptive study is that there is
>>>a statistically significant occurrence of WHOIS misuse affecting
>>>Registrants' email addresses, postal addresses, and phone numbers,
>>>published in WHOIS when registering domains in these gTLDs. Overall, we
>>>find that 44% of Registrants experience one or more of these types of
>>>WHOIS misuse. [Emphasis added, WHOIS Misuse Study, p. 6]
>>>
>>>We appreciate the extensive efforts the CMU team undertook to test the
>>>hypothesis it was given by ICANN and the GNSO. First, it conducted a
>>>descriptive study reaching out to Experts, Registrants and
>>>Registries/Registrars. Specifically, the team surveyed a "diverse group
>>>of experts in the fields of security and privacy affiliated with
>>>research institutes, academia, law enforcement agencies, Internet
>>>Service Providers (ISPs), and national data protection commissioners."
>>>[Study, p. 13]
>>>
>>>The team surveyed Registrants for a "better understanding of their
>>>direct experiences with Whois misuse" and found that 43.9% reported
>>>"some kind of misuse of their WHOIS information," including postal
>>>address misuse, email address misuse andphone number misuse tied to the
>>>Whois data, as well as Identity theft, unauthorized intrusion to
>>>servers and blackmail to which publicly-published Whois data may have
>>>been a contributing factor.
>>>
>>>Then the team surveyed Registrars and Registries about Whois harvesting
>>>attacks, and the deployment and effectiveness of WHOIS anti-harvesting
>>>techniques.
>>>
>>>Second and perhaps most interestingly, the CMU team conducted its own
>>>experimental study in which they registered a set of domain names in the
>>>top five gTLDs through a representative set of Registrars, with unique
>>>Registrant identities. Over the course of six months, they tracked
>>>emails, voicemails and postal mail received by the registrants of these
>>>experimental domain names. The purpose of the study was to eliminate
>>>"any extraneous variables," e.g. the publication of a postal address in
>>>both the Whois and an outside directory.
>>>
>>>The conclusions of the study are Striking - and answer questions
>>>floating in the GNSO for over a decade. Yes, there is abuse of
>>>publicly-published Whois data. Yes, that abuse is statistically
>>>significant. We share again the main finding of the Study for additional
>>>review in this comment period:
>>>
>>>The main finding of the descriptive study is that there is a
>>>statistically significant occurrence of WHOIS misuse affecting
>>>Registrants' email addresses, postal addresses, and phone numbers,
>>>published in WHOIS when registering domains in these gTLDs. Overall, we
>>>find that 44% of Registrants experience one or more of these types of
>>>WHOIS misuse. [Emphasis added, WHOIS Misuse Study, p. 6]
>>>
>>>We thank CMU for the extensive efforts it devoted to this study, and the
>>>extra efforts made and extra time spent to expand studies to include
>>>more experts from Latin America and overall go above and beyond the
>>>requirements for a rounded and complete study.
>>>
>>>Reply to Other Commenters:
>>>
>>>ALAC Comments:
>>>ALAC published the following comment in their comments: "We note the
>>>study has returned findings that align with individual experience of
>>>At-Large constituents plus the evidence of widespread occurrence has
>>>validated similar research undertaken by At-Large connected researchers."
>>>
>>>
>>>We note that NCUC, too, has directly experienced deeply concerning
>>>misuses of WHOIS data. In particular, attorneys in NCUC have directly
>>>experienced and directly worked with clients who have experienced:
>>>
>>>- Stalking, for which the Whois was the only published source
>>>for the location of an online, home-based business by which an ex-spouse
>>>found his wife and stalked her.
>>>- Political persecution, by which Whois data was used not only
>>>to track dissenters (some located in the US and protected by the First
>>>Amendment), but also their families located in the countries about whose
>>>corruption the websites were devoted (and who were not similarly
>>>protected);
>>>- Chilling effects, by which Whois data was used to track down
>>>and intimidate or silence those who have a different political,
>>>religious or moral view;
>>>
>>>- Anticompetitive activity - by which competitors used Whois
>>>data to track down entrepreneurs and small businesses owners and seek to
>>>intimidate them to set businesses plans and services aside.
>>>
>>>We further share with ALAC the deep concern that "WHOIS misuse is
>>>factual and widespread, as the evidence from 44% of sampled registrants
>>>across the several domains attest." We further agree that this poses a
>>>"continued threat" to the "security and confidence in the use of the
>>>Internet, [and] the public interest demands measures to address and
>>>abate its impact." ALAC
>>>Comments, <http://forum.icann.org/lists/comments-whois-misuse-27nov13/msg00006.html>http://forum.icann.org/lists/comments-whois-misuse-27nov13/msg00006.html
>>>
>>>We have the evidence, and measures must now be taken to protect
>>>Registrants, and the speech, work, expression, hobbies, research,
>>>business, education and communication they conduct using their domain
>>>names.
>>>
>>>Respectfully submitted,
>>>
>>>[if approved]
>>>
>>>NONCOMMERCIAL USERS CONSTITUENCY
>>>
>>> <NCUC DRAFT Comments - Misuse of Whois
>>>Study.docx>_______________________________________________
>>>Ncuc-discuss mailing list
>>><mailto:Ncuc-discuss at lists.ncuc.org>Ncuc-discuss at lists.ncuc.org
>>><http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss>http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss
>>>
>>
>>***********************************************
>>William J. Drake
>>International Fellow & Lecturer
>> Media Change & Innovation Division, IPMZ
>> University of Zurich, Switzerland
>>Chair, Noncommercial Users Constituency,
>> ICANN, <http://www.ncuc.org/>www.ncuc.org
>><mailto:william.drake at uzh.ch>william.drake at uzh.ch (direct), <mailto:wjdrake at gmail.com>wjdrake at gmail.com
>>(lists),
>> <http://www.williamdrake.org/>www.williamdrake.org
>>***********************************************
>>
>>_______________________________________________
>>Ncuc-discuss mailing list
>><mailto:Ncuc-discuss at lists.ncuc.org>Ncuc-discuss at lists.ncuc.org
>>http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss
>>
>
>
>_______________________________________________
>Ncuc-discuss mailing list
>Ncuc-discuss at lists.ncuc.org
>http://lists.ncuc.org/cgi-bin/mailman/listinfo/ncuc-discuss
More information about the Ncuc-discuss
mailing list